A significant vulnerability affecting passkey authentication, widely regarded as a secure passwordless method, has been disclosed by SquareX researchers at DEF CON 33.
The flaw threatens critical banking, shopping, and enterprise SaaS applications, potentially impacting billions of users globally.
Passkeys have emerged as a replacement for traditional passwords by using cryptographic key pairs for authentication. According to the FIDO Alliance, over 15 billion accounts are passkey-enabled, with 69% of users worldwide activating passkeys in at least one account. Their promise is straightforward: eliminate passwords and their inherent vulnerabilities.
However, researchers Shourya Pratap Singh, Daniel Seetoh, and Jonathan Lin revealed that passkeys rely heavily on the browser as an “honest” intermediary. Malicious browser extensions or trivial scripts can intercept and forge the passkey registration process, enabling attackers to gain unauthorized access without the victim’s device or biometrics.
Even for accounts with registered passkeys, attackers can deliberately cause authentication failures, forcing users to re-register passkeys in a compromised environment controlled by the attacker.
Passkeys are a highly trusted form of authentication, so when users see a biometric prompt, they take that as a signal for security,” said Shourya Pratap Singh, SquareX researcher. “What they don’t know is that attackers can easily fake passkey registrations and authentication by intercepting the workflow in the browser.”
Traditional security tools such as Endpoint Detection and Response (EDR) and Secure Access Service Edge (SASE/SSE) lack the capability to detect these browser-level exploits. The attack closely mimics a legitimate passkey process, leaving users with no visual or network-based indicators to detect compromise.
With over 80% of enterprise data now residing in SaaS applications, the vulnerability underscores the urgent need for browser-level protection. Vivek Ramachandran, Founder of SquareX, said, “Without a browser security layer, passkeys in isolation can be easily hijacked to gain unauthorized access to enterprise SaaS apps, where critical data is stored. This highlights the need for Browser Detection and Response, an ‘EDR in the browser’, which SquareX has been pioneering.”
As passkeys become the gold standard for authentication, enterprises are urged to implement robust browser security measures to prevent malicious scripts and extensions from exploiting this vulnerability
About Author
